pango is vulnerable to arbitrary code execution. The vulnerability exists as an input sanitization flaw, leading to a heap-based buffer overflow, was found in the way Pango displayed font files when using the FreeType font engine back end. If a user loaded a malformed font file with an application that uses Pango, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application.
lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.html
openwall.com/lists/oss-security/2011/01/18/6
openwall.com/lists/oss-security/2011/01/20/2
osvdb.org/70596
secunia.com/advisories/42934
secunia.com/advisories/43100
www.redhat.com/support/errata/RHSA-2011-0180.html
www.securityfocus.com/bid/45842
www.securitytracker.com/id?1024994
www.vupen.com/english/advisories/2011/0186
www.vupen.com/english/advisories/2011/0238
access.redhat.com/errata/RHSA-2011:0180
access.redhat.com/security/cve/CVE-2011-0020
access.redhat.com/security/updates/classification/#moderate
bugs.launchpad.net/ubuntu/+source/pango1.0/+bug/696616
bugzilla.gnome.org/show_bug.cgi?id=639882
bugzilla.redhat.com/show_bug.cgi?id=671122
exchange.xforce.ibmcloud.com/vulnerabilities/64832